CVSS scoring version

[lizrice]

Posting on behalf of the person who emailed this question

I have a question regarding the CVSS scoring version used by Trivy for classifying the severity levels of CVE vulnerabilities. It appears that Trivy uses CVSS version 2.0, as shown in the example below.

• https://nvd.nist.gov/vuln/detail/CVE-2019-15847
  • CVE-2019-15847 is classified as a Medium level vulnerability by the Trivy scan
  • On the nist.gov website, it has a CVSS v3.1 Score of 7.5 (High) and a CVSS v2.0 Score of 5.0 (Medium)

Can you confirm that CVSS version 2.0 is used by Trivy and not CVSS 3.x? Also, if version 2.0 is used by Trivy for the CVE scores and the classification of severity levels, when might Trivy be updated to use CVSS version 3.x?

[lizrice]

The OP was correct - we do currently default to CVSS V2, but we are planning to move to V3 - see aquasecurity/trivy-db#72

[stevegileno]

Thanks Liz for the post and your response. I will follow up on the linked thread.